1. Explain risk, vulnerability and threat? 
TIP: A good way to start this answer is by explaining vulnerability, and threat and 
then risk. Back this up with an easy to understand example. 


Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an 
attacker who exploits that weakness. Risk is the measure of potential loss when that 
the vulnerability is exploited by the threat e.g. Default username and password for 
a server - An attacker can easily crack into this server and compromise it. 


2. What is the difference between Asymmetric and Symmetric encryption 
and which one is better? 


Symmetric encryption uses the same key for both encryption and decryption, while 
Asymmetric encryption uses different keys for encryption and decryption. 


Symmetric is usually much faster but the key needs to be transferred over an 
unencrypted channel. 


Asymmetric on the other hand is more secure but slow. Hence, a hybrid approach 
should be preferred. Setting up a channel using asymmetric encryption and then 
sending the data using symmetric process. 


3. What is an IPS and how does it differ from IDS? 


IDS is an intrusion detection system whereas an IPS is an intrusion prevention 
system. IDS will just detect the intrusion and will leave the rest to the administrator 
for further action whereas an IPS will detect the intrusion and will take further action 
to prevent the intrusion. Another difference is the positioning of the devices in the 
network. Although they work on the same basic concept, but the placement is 
different. 


4. What is XSS, how will you mitigate it? 


Cross site scripting is a JavaScript vulnerability in the web applications. The easiest 
way to explain this is a case when a user enters a script in the client-side input 
fields and that input gets processed without getting validated. This leads to 
untrusted data getting saved and executed on the client side. 


5. What is the difference between encryption and hashing? 


Point 1: Encryption is reversible whereas hashing is irreversible. Hashing can be 
cracked using rainbow tables and collision attacks but is not reversible. 


Point 2: Encryption ensures confidentiality whereas hashing ensures Integrity. 


6. What is CSRF? 


Cross Site Request Forgery is a web application vulnerability in which the server 
does not check whether the request came from a trusted client or not. The request 
is just processed directly. It can be further followed by the ways to detect this, 
examples and countermeasures. 


7. What is a Black hat, white hat and Grey hat hacker? 


Black hat hackers are those who hack without authority. White hat hackers are 
authorized to perform a hacking attempt under signed NDA. Grey hat hackers are 
white hat hackers which sometimes perform unauthorized activities. 


8 What is a firewall? 


A firewall is a device that allows/blocks traffic as per defined set of rules. These are 
placed on the boundary of trusted and untrusted networks. 


9. Scans and its behavior 

Horizontal Scan 

A horizontal scan is described as scan against a group of IPs for a single port. 
Vertical Scan 

A vertical scan is described as a single IP being scanned for multiple ports. 
Box Scanning 


A combination of both vertical and horizontal scans. 


10. what is Malware analysis, what are its steps? 


Malware analysis is the process of learning how malware functions and any 
potential repercussions of a given malware. Malware code can differ radically, and 
it's essential to know that malware can have many functionalities. These may come 
in the form of viruses, worms, spyware, and Trojan horses. Each type of malware 
gathers information about the infected device without the knowledge, or 
authorization of the user. 


11. CIA triangle? 
Confidentiality: Keeping the information secret. 
Integrity: Keeping the information unaltered. 


Availability: Information is available to the authorized parties always. 


12. Various response codes from a web application? 


1xx - Informational responses 
2xx - Success 

3xx - Redirection 

4xx - Client-side error 

5xx - Server-side error 


13. DDoS and its mitigation? 


DDoS stands for distributed denial of service. When a network/server/application is 
flooded with large number of requests which it is not designed to handle making the 
server unavailable to the legitimate requests. The requests can come from different 
not related sources hence it is a distributed denial of service attack. It can be 
mitigated by analyzing and filtering the traffic in the scrubbing centers. The 
scrubbing centers are centralized data cleansing station wherein the traffic to a 
website is analyzed and the malicious traffic is removed. 


14. What is a WAF and what are its types? 


WAF stands for web application firewall. It is used to protect the application by 
filtering legitimate traffic from malicious traffic. WAF can be either a box type or 
cloud based. 


15. How do you handle Antivirus alerts? 


Check the policy for the AV and then the alert. If the alert is for a legitimate file, 
then it can be whitelisted and if this is malicious file then it can be 
quarantined/deleted. The hash of the file can be checked for reputation on various 
websites like virus total, malwares.com etc. AV needs to be fine-tuned so that the 
alerts can be reduced. 


16.What is data leakage? How will you detect and prevent it? 


Data leak is when data gets out of the organization in an unauthorized way. Data 
can get leaked through various ways - emails, prints, laptops getting lost, 
unauthorized upload of data to public portals, removable drives, photographs etc. 
There are various controls which can be placed to ensure that the data does not get 
leaked, a few controls can be restricting upload on internet websites, following an 
internal encryption solution, restricting the mails to internal network, restriction on 
printing confidential data etc. 


17. What is an incident and how do you manage it? 


Any event which leads to compromise of the security of an organization is an 
incident. The incident process goes like this: 


Identification of the Incident 


Logging it (Details) 


Investigation and root cause analysis (RCA) 
Escalation or keeping the senior management/parties informed 
Remediation steps 


Closure report. 


18 .DNS-Spoofing- DNS spoofing is also known as DNS cache poisoning. It is a 
type of computer security hacking. Attackers or hackers corrupt the whole DNS 
server by replacing the authorized IP address with the bogus IP address in the 
server's cache. This way they redirect the whole traffic to a malevolent website and 
collect the crucial information. 


19. Ransomware attack mitigation 
Disconnect the machine from the network to limit the intrusion. 
Pull out the ethernet cord. Shut off the WIFI. 


Keep your computer on and do not try to restart it; otherwise, you could lose 
information that may be useful in analyzing the attack. 


Inform the company’s security manager. 


Find out the name of the ransomware Attempt to restore your data using the 
automatic backup systems of some operating systems or your own backup system. 


Recover your files on a storage service such as Dropbox if your computer has been 
synchronized with this type of service. 


20: What is XSS 


Cross-site scripting (XSS) is a code injection attack that allows an attacker to 
execute malicious JavaScript in another user's browser. 


21. Types of XSS 


While the goal of an XSS attack is always to execute malicious JavaScript in the 
victim's browser, there are few fundamentally different ways of achieving that goal. 
XSS attacks are often divided into three types: 


Persistent XSS, where the malicious string originates from the website's database. 
Reflected XSS, where the malicious string originates from the victim's request. 


DOM-based XSS, where the vulnerability is in the client-side code rather than the 
server-side code. 


The previous example illustrated a persistent XSS attack. We will now describe the 
other two types of XSS attacks: reflected XSS and DOM-based XSS. 


22. LDAP injection 


LDAP Injection is an attack used to exploit web-based applications that construct 
LDAP statements based on user input. When an application fails to properly sanitize 
user input, it’s possible to modify LDAP statements using a local proxy. This could 
result in the execution of arbitrary commands such as granting permissions to 
unauthorized queries, and content modification inside the LDAP tree. The same 
advanced exploitation techniques available in SQL Injection can be similarly applied 
in LDAP Injection. 


23.What is SSL? 


SSL (Secure Sockets Layer) is a standard security protocol for establishing 
encrypted links between a web server and a browser in an online communication. 


24.What is TLS? 


Transport Layer Security, and its now-deprecated predecessor, Secure Sockets 
Layer, are cryptographic protocols designed to provide communications security 
over a computer network 


25,.OWASP 


The Open Web Application Security Project, an online community, produces freely- 
available articles, methodologies, documentation, tools, and technologies in the 
field of web application security 


26.Cyber Kill chain 

Reconnaissance - Example: harvest email accounts 

Weaponization - Example: couple an exploit with a backdoor 

Delivery - Example: deliver bundle via email or Web 

Exploitation - Example: exploit a vulnerability to execute code 

Installation - Example: Install malware on target 

Command and Control - Example: Command channel for remote manipulation 
Actions on Objectives - Example: Access for intruder to accomplish goal 


27.Malware and its types. 


Malware is a broader term for several types of malicious codes created by 
cybercriminals for preying on online users. Malware is the singly coined word for the 
words, “Malicious Software”. 


Different Types of Malware: 


#Computer Virus 

Created to relentlessly self-replicate it infects programs and files. The malicious 
activities may be targeted at destroying valuable data or causing unrepairable 
damages. 

#Spyware 

The name says it all, the software is created to spy on the victim so, it is secretly 
implanted on the computing device by the hacker. The spyware gathers information 
and sends it to the hacker. 

#Adware 

The malicious program is devised to pop-up unwanted advertisements on the 
victim’s computer without their permission. The pop-ups are uncontrollable and 
tend to behave erratically, they usually appear numerous times on the screen and it 
becomes tedious to close them. 

#Rootkit 

Rootkit Virus assists a hacker in remotely accessing or controlling a computing 
device or network without being exposed. They are hard to detect due to the reason 
that they become active even before the system’s Operating System is booted up. 
#Trojan Horse 

The name “Trojan horse” arrives from the ancient Greek tale on Trojan War. Similar 
to the story, the malicious program sneaks into the victim’s computer disguised as 
a legitimate program that users will accept and want to use. 

#Worm 

The Worm Virus is a malicious code that copy’s itself and spreads to other 
computers. The Worm makes use of the network to spread to other devices. An 
infected network or system may slow down and face unexpected hiccups on the full- 
swing. While a Computer Virus attaches itself to different programs and executable 
codes, the Worm Virus spreads across the networks, this is the notable difference 
between the two. 

#Ransomware 

As the name interprets, the ransomware is a ransom malware. The ransom virus 
blocks the user from accessing the files or programs and the virus removal 
demands to pay the ransom through certain online payment methods. Once the 
amount is paid the user can resume using their system. 

#Keylogger 

The Keylogger records every keystroke that a user makes on their device by 
running in the background. It steals user credentials and confidential data and 
forwards it to the hacker for malicious purpose. 

#Botnet 

The cybercriminal blocks a user actions and takes full control of the system. The 
hacker creates a network of malware-infected computers which functions as a bot. 
The botnet virus is used to transmit malware, send spam emails, and execute other 
malicious tasks. 


28. Backdoor attack 


A backdoor is a malware type that negates normal authentication procedures to 
access a system. As a result, remote access is granted to resources within an 
application, such as databases and file servers, giving perpetrators the ability to 
remotely issue system commands and update malware. 

Backdoor installation is achieved by taking advantage of vulnerable components in 
a web application. Once installed, detection is difficult as files tend to be highly 
obfuscated. 

Webserver backdoors are used for several malicious activities, including: 

Data theft 

Website defacing 

Server hijacking 

The launching of distributed denial of service (DDoS) attacks 

Infecting website visitors (watering hole attacks) 

Advanced persistent threat (APT) assaults 


29: Phishing 


Phishing is a type of social engineering attack often used to steal user data, 
including login credentials and credit card numbers. It occurs when an attacker, 
masquerading as a trusted entity, dupes a victim into opening an email, instant 
message, or text message. The recipient is then tricked into clicking a malicious 
link, which can lead to the installation of malware, the freezing of the system as 
part of a ransomware attack or the revealing of sensitive information. 


30 Deceptive phishing 


The most common type of phishing scam, deceptive phishing refers to any attack 
by which fraudsters impersonate a legitimate company and attempt to steal 
people’s personal information or login credentials. 


31 Spear phishing 


Spear phishing is an email-spoofing attack that targets a specific organization or 
individual, seeking unauthorized access to sensitive information 


Review 


What is Symmetric & Asymmetric Encryption? 


Symmetric algorithms: (also called “secret key”) use the same key for both 
encryption and decryption; Asymmetric algorithms: (also called “public key”) use 
different keys for encryption and decryption. 


Difference between Proxy and Firewall? 


A firewall and a proxy server are both components of network security. To some 
extent, they are similar in that they limit or block connections to and from your 
network, but they accomplish this in different ways. 


Firewalls can block ports and programs that try to gain unauthorized access to your 
computer, while proxy servers basically hide your internal network from the 
Internet. It works as a firewall in the sense that it blocks your network from being 
exposed to the Internet by redirecting Web requests when necessary. 


What is Spear Phishing? 


Spear phishing is an email-spoofing attack that targets a specific organization or 
individual, seeking unauthorized access to sensitive information. Spear-phishing 
attempts are not typically initiated by random hackers but are more likely to be 
conducted by perpetrators out for financial gain, trade secrets or military 
information. 


What is Phishing? 


Phishing is a form of fraud in which an attacker masquerades as a reputable entity 
or person in email or other communication channels. The attacker uses phishing 
emails to distribute malicious links or attachments that can perform a variety of 
functions, including the extraction of login credentials or account information from 
victims. 


What is Vishing? 
The fraudulent practice of making phone calls or leaving voice messages purporting 


to be from reputable companies in order to induce individuals to reveal personal 
information, such as bank details and credit card numbers. 


What is Salt Hash? 


In cryptography, a salt is random data that is used as an additional input to a one- 
way function that "hashes" data, a password or passphrase. Salts are closely related 
to the concept of nonce. The primary function of salts is to defend against dictionary 
attacks or against its hashed equivalent, a pre-computed rainbow table attack. 


What is a DDOS attack? 


A Distributed Denial of Service (DDoS) attack is an attempt to make an online 
service unavailable by overwhelming it with traffic from multiple sources. They 
target a wide variety of important resources, from banks to news websites, and 
present a major challenge to making sure people can publish and access important 
information. 


How can you determine if the malicious connection was initiated by the 
user? 


1.Your computer is slowing down 

2. Annoying adds are displayed 

3. Crashes 

4. Pop-up messages 

5. The Internet traffic suspiciously increases 

6. Your browser homepage changed without your input 
7. Unusual messages show unexpectedly. 

8. Your security solution is disabled 

9. Your friends say they receive strange messages from you 
10. Unfamiliar icons are displayed on your desktop 

11. Unusual error messages 

12. You can’t access the Control Panel 


13. Everything seems to work perfectly on your PC 
Hashing and Encryption? 


Hashing: A hash can simply be defined as a number generated from a string of 
text. Other literature can also call it a message digest. In essence, a hash is smaller 
than the text that produces it. It is generated in a way that a similar hash with same 
value cannot be produced by another text. 


Purpose of Hashing 


e Hashing can be used to compare a large amount of data. Hash values can be 
created for different data, meaning that it is easier comparing hashes than 
the data itself. 

e It is easy to find a record when the data is hashed. 

e Hashing algorithms are used in cryptographic applications like a digital 
signature. 

e Hashing is used to generate random strings to avoid duplication of data 
stored in databases. 

e Geometric hashing - widely used in computer graphics to find closet pairs 
and proximity problems in planes. It is also called grid method and it has also 
been adopted in telecommunications. 


Encryption: Encryption is the process of changing data some kind of a secret code 
to minimize the chances of the data being accessed by eavesdroppers. It is the 
most effective way of achieving data security in modern communication systems. In 
order for the receiver to read an encrypted message, he/she should have a 
password or a security key that is used in decryption. Data that has not been 
encrypted is known as plain text while encrypting data is known as a cipher text. 


Purpose of Encryption 


The main idea of encryption is to protect data from an unauthorized person who 
want to read or get information from a message that was not intended for them. 


Encryption enhances security when sending messages through the Internet or 
through any given network. 


The following are key elements of security that encryption helps enhance. 


e Confidentiality - Encrypted message cannot be read or changed by another 
person. 

e Encrypt - It transforms data in such a way that only specific individuals can 
transform the message. 

e Granular access control - Users are limited to what they can see and do. 

e It makes auditing for accountability easy. In the case of message leaked, it is 
easy to trace who did that and when thus security breaches can be sorted out 
efficiently. 

e Authentication - the origin of the message received can be traced thus 
facilitating authentication. 


WHAT IS DATA LOSS PREVENTION (DLP)? 


Data loss prevention (DLP) is a set of tools and processes used to ensure that 
sensitive data is not lost, misused, or accessed by unauthorized users. DLP software 
classifies regulated, confidential and business critical data and identifies violations 
of policies defined by organizations or within a predefined policy pack, typically 
driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR. Once those 
violations are identified, DLP enforces remediation with alerts, encryption, and other 
protective actions to prevent end users from accidentally or maliciously sharing 
data that could put the organization at risk. Data loss prevention software and tools 
monitor and control endpoint activities, filter data streams on corporate networks, 
and monitor data in the cloud to protect data at rest, in motion, and in use. DLP also 
provides reporting to meet compliance and auditing requirements and identify 
areas of weakness and anomalies for forensics and incident response. 


What is APT? 


An advanced persistent threat (APT) is a prolonged and targeted cyberattack in 
which an intruder gains access to a network and remains undetected for an 
extended period. The intention of an APT attack is usually to monitor network 
activity and steal data rather than to cause damage to the network or organization. 


APT attack is found using DLP. 
What is SQL Injection? 


SQL injection is a type of security exploit in which the attacker adds Structured 
Query Language (SQL) code to a Web form input box to gain access to resources or 
make changes to data. An SQL query is a request for some action to be performed 
on a database. Typically, on a Web form for user authentication, when a user enters 
their name and password into the text boxes provided for them, those values are 
inserted into a SELECT query. If the values entered are found as expected, the user 
is allowed access; if they aren't found, access is denied. However, most Web forms 


have no mechanisms in place to block input other than names and passwords. 
Unless such precautions are taken, an attacker can use the input boxes to send 
their own request to the database, which could allow them to download the entire 
database or interact with it in other illicit ways. 


SELECT fieldlist 

FROM table 

WHERE field = '$EMAIL'; 

SELECT fieldlist 

FROM table 

WHERE field = ‘anything’ OR 'x'='x'; 
What is Cross Site Scripting? 


Cross-site scripting (XSS) is a type of injection security attack in which an attacker 
injects data, such as a malicious script, into content from otherwise trusted 
websites. Cross-site scripting attacks happen when an untrusted source is allowed 
to inject its own code into a web application, and that malicious code is included 
with dynamic content delivered to a victim's browser. 


What is Cross-Site Request Forgery (XSRF or CSRF)? 


Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in 
which an intruder masquerades as a legitimate and trusted user. An XSRF attack 
can be used to modify firewall settings, post unauthorized data on a forum or 
conduct fraudulent financial transactions. A compromised user may never know that 
such an attack has occurred. If the user does find out about an attack, it may only 
be after the damage has been done and a remedy may be impossible. 


What is Ping Sweep (ICMP Sweep)? 


A ping sweep (also known as an ICMP sweep) is a basic network scanning technique 
used to determine which of a range of IP addresses map to live hosts (computers). 
Whereas a single ping will tell you whether one specified host computer exists on 
the network, a ping sweep consists of ICMP (Internet Control Message Protocol) 
ECHO requests sent to multiple hosts. If a given address is live, it will return an ICMP 
ECHO reply. Ping sweeps are among the older and slower methods used to scan a 
network. 


What is PING OF DEATH (POD)? 


Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS) attack in which an 
attacker attempts to crash, destabilize, or freeze the targeted computer or service 
by sending malformed or oversized packets using a simple ping command. 


While PoD attacks exploit legacy weaknesses, which may have been patched in 
target systems. However, in an unpatched system, the attack is still relevant and 
dangerous. Recently, a new type of PoD attack has become popular. This attack, 
commonly known as a Ping flood, the targeted system is hit with ICMP packets sent 
rapidly via ping without waiting for replies. 


What is Ping Flood? 


Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in 
which an attacker takes down a victim’s computer by overwhelming it with ICMP 
echo requests, also known as pings. 


The attack involves flooding the victim’s network with request packets, knowing 
that the network will respond with an equal number of reply packets. Additional 
methods for bringing down a target with ICMP requests include the use of custom 
tools or code, such as hping and scapy. 


This strain both the incoming and outgoing channels of the network, consuming 
significant bandwidth and resulting in a denial of service. 


What is VPN Tunneling? 


Virtual private network technology is based on the idea of tunneling. VPN tunneling 
involves establishing and maintaining a logical network connection (that may 
contain intermediate hops). On this connection, packets constructed in a specific 
VPN protocol format are encapsulated within some other base or carrier protocol, 
then transmitted between VPN client and server, and finally de-encapsulated on the 
receiving side. 


For Internet-based VPNs, packets in one of several VPN protocols are encapsulated 
within Internet Protocol (IP) packets. VPN protocols also support authentication and 
encryption to keep the tunnels secure. 


VPN supports two types of tunneling - voluntary and compulsory. Both types of 
tunneling are commonly used. 


In voluntary tunneling, the VPN client manages connection setup. The client first 
makes a connection to the carrier network provider (an ISP in the case of Internet 
VPNs). Then, the VPN client application creates the tunnel to a VPN server over this 
live connection. 


In compulsory tunneling, the carrier network provider manages VPN connection 
setup. When the client first makes an ordinary connection to the carrier, the carrier 
in turn immediately brokers a VPN connection between that client and a VPN server. 
From the client point of view, VPN connections are set up in just one step compared 
to the two-step procedure required for voluntary tunnels. 


What is a Heartbleed Vulnerability? 


Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely 
used implementation of the Transport Layer Security (TLS) protocol. 


Heartbleed may be exploited regardless of whether the vulnerable OpenSSL 
instance is running as a TLS server or client. It results from improper input 
validation (due to a missing bounds check) in the implementation of the 

TLS heartbeat extension. Thus, the bug's name derives from heartbeat. The 
vulnerability is classified as a buffer over-read, a situation where more data can be 
read than should be allowed. 


Difference between HTTP and HTTPS? 


HTTP: It is an open connection, and which is not secured. It uses 80 as a port 
number. 


HTTPS: It is a secured connection. It involves TLS and SSL layers during 
communication. It uses 443 as a port number. 


What is SSL? 


SSL (Secure Sockets Layer) is a standard security protocol for establishing 
encrypted links between a web server and a browser in an online communication. 


The usage of SSL technology ensures that all data transmitted between the web 
server and browser remains encrypted. 


An SSL certificate is necessary to create SSL connection. You would need to give all 
details about the identity of your website and your company as and when you 
choose to activate SSL on your web server. Following this, two cryptographic keys 
are created - a Private Key and a Public Key. 


What is Transport Layer Security (TLS)? 


Transport Layer Security (TLS) is a protocol that provides privacy and data 
integrity between two communicating applications. It's the most widely deployed 
security protocol used today, and is used for Web browsers and other applications 
that require data to be securely exchanged over a network, such as file 
transfers, VPN connections, instant messaging and voice over IP. 


True False Positive Negative? 


A true positive is an outcome where the model correctly predicts 
the positive class. Similarly, a true negative is an outcome where the 
model correctly predicts the negative class. 


A false positive is an outcome where the model incorrectly predicts 
the positive class. And a false negative is an outcome where the 
model incorrectly predicts the negative class. 


What is Data Leakage? 


The unauthorized transfer of classified information from a computer or datacenter 
to the outside world. Data leakage can be accomplished by simply mentally 
remembering what was seen, by physical removal of tapes, disks and reports or by 
subtle means such as data hiding (see steganography). 


Difference between Data Loss Prevention and Data Leakage Prevention 


data loss and data leakage can both result in a data breach, the detection and 
handling of data loss prevention and data leakage prevention must both be 
considered. 


Data loss prevention focuses on the detection and prevention of sensitive data 
exfiltration and/or lost data and includes use cases from a lost or stolen thumb 
drive, to ransomware attacks. In a data loss, the data is gone and may or may not 
be recoverable. 


Data leakage is more complex and includes the risk of sensitive data flowing 
between an organizations’ critical systems, which are usually systems of records. 
While safe guards can be assumed to be in place in the “system of record”, data 
leakage can occur when data is cascaded to complimentary systems unless the 
same level of data protection is enforced. 


Where does a Virus, Malware, Worm Stored? 
It is stored in roaming profile temp file. 
C:\Users\UserlD\AppData\Local\Temp 

What is Malware and Malware Family? 


Malware is a malicious code or malicious content which is used to exploit a 
machine. Following are the part of malware family 


Virus - This is a term that used to be generic. Any bad software used to be a virus; 
however, we use the term “malware” now. We use the word “virus” to describe a 
program that self-replicates after hooking itself onto something running in 
Windows®. 


Worm - A worm is another kind of self-replicating program but generally doesn’t 
hook itself onto a Windows process. Worms generally are little programs that run in 
the background of your system. 


Trojan - Software that you thought was going to be one thing but turns out to be 
something bad. Named for the fabled “Trojan Horse” that appeared to be a gift but 


in fact carried a dangerous payload. 


Drive-by Download - This is probably the most popular way to get something 
nasty into your computer. Most of the time, it comes from visiting a bad web page. 
That web page exploits a weakness in your browser and causes your system to 
become infected. 


MALWARE ACTIONS 


Once malware is in your computer, it can do many things. Sometimes it’s only 
trying to replicate itself with no harm to anyone, other times it’s capable of doing 
very nasty things. 


Adware - not truly malware and almost never delivered using one of the methods 
above. Adware is software that uses some form of advertising delivery system. 
Sometimes the way that advertisements are delivered can be deceptive in that they 
track or reveal more information about you than you would like. Most of the time, 
you agree to the adware tracking you when you install the software that it comes 
with. Generally, it can be removed by uninstalling the software it was attached to. 


Spyware - software that monitors your computer and reveals collected information 
to an interested party. This can be benign when it tracks what webpages you visit; 
or it can be incredibly invasive when it monitors everything you do with your mouse 
and keyboard. 


Ransomware - lately a very popular way for Internet criminals to make money. 
This malware alters your system in such a way that you’re unable to get into it 
normally. It will then display some kind of screen that demands some form of 
payment to have the computer unlocked. Access to your computer is literally 
ransomed by the cyber-criminal. 


Scareware - software that appears to be something legit (usually masquerading as 
some tool to help fix your computer) but when it runs it tells you that your system is 
either infected or broken in some way. This message is generally delivered in a 
manner that is meant to frighten you into doing something. The software claims to 
be able to fix your problems if you pay them. Scareware is also referred to as 
“rogue” software - like rogue antivirus. 


Some malware gets into your computer and appear to do nothing at all. Such 
malware may have no obvious symptoms, but it has infected your computer along 
with a group of other computers, forming which is called as a “botnet”. This botnet 
can be directed by an Internet criminal to do any number of things including spam 
delivery and attacking Internet sites. Internet criminals don’t want to do anything 
direct that may be tracked back to them, so they employ botnets to do their dirty 
work for them. 


TCP Flags? 


SYN - Initiates a connection 

ACK - Acknowledges received data 

FIN - Closes a connection 

RST - Aborts a connection in response to an error 

URG - The URG flag is used to inform a receiving station that certain data 
within a segment is urgent and should be prioritized. 

e PSH Flag - PSH or PUSH flag is an option provided by TCP that allows the 
sending application to start sending the data even when the buffer is not full 


Frequent Proxy Errors? 
HTTP ERROR 401 (UNAUTHORIZED) 


This error happens when a website visitor tries to access a restricted web page but 
isn’t authorized to do so, usually because of a failed login attempt. 


HTTP ERROR 400 (BAD REQUEST) 


This is basically an error message from the web server telling you that the 
application you are using (e.g. your web browser) accessed it incorrectly or that the 
request was somehow corrupted on the way. 


HTTP ERROR 403 (FORBIDDEN) 


This error is similar to the 401 error but note the difference between unauthorized 
and forbidden. In this case no login opportunity was available. This can for example 
happen if you try to access a (forbidden) directory on a website. 


HTTP ERROR 404 (NOT FOUND) 


Most people are bound to recognize this one. A 404 error happens when you try to 
access a resource on a web server (usually a web page) that doesn’t exist. Some 
reasons for this happening can for example be a broken link, a mistyped URL, or 
that the webmaster has moved the requested page somewhere else (or deleted it). 
To counter the ill effect of broken links, some websites set up custom pages for 


them (and some of those are really cool). 


HTTP ERROR 500 (INTERNAL SERVER ERROR) 


The description of this error pretty much says it all. It’s a general-purpose error 
message for when a web server encounters some form of internal error. For 
example, the web server could be overloaded and therefore unable to handle 
requests properly. 


What is SSL/TLS Certificate? 


SSL or TLS (Transport Layer Security) certificates are data files that bind a 
cryptographic key to the details of an organization. When SSL/TLS certificate is 
installed on a web server, it enables a secure connection between the web server 
and the browser that connects to it. The website's URL is prefixed with "https" 
instead of "http" and a padlock is shown on the address bar. If the website uses an 
extended validation (EV) certificate, then the browser may also show a green 
address bar. 


How Does SSL Work? 


The following graphic explains how SSL Certificate works on a website. The process 
of how an 'SSL handshake’ takes place is explained below: 


e An end-user asks their browser to make a secure connection to a website 
(e.g. https://www.example.com) 

e The browser obtains the IP address of the site from a DNS server then 
requests a secure connection to the website. 

e To initiate this secure connection, the browser requests that the server 

identifies itself by sending a copy of its SSL certificate to the browser. 

The browser checks the certificate to ensure: 

That it is signed by a trusted CA 

That it is valid - that it has not expired or been revoked 

That it confirms to required security standards on key lengths and other 

items. 

e That the domain listed on the certificate matches the domain that was 
requested by the user. 

e When the browser confirms that the website can be trusted, it creates a 
symmetric session key which it encrypts with the public key in the website's 
certificate. The session key is then sent to the web server. 

e The web server uses its private key to decrypt the symmetric session key. 

e The server sends back an acknowledgement that is encrypted with the 
session key. 

e From now on, all data transmitted between the server and the browser is 
encrypted and secure. 


What details are included in a SSL certificate 


SSL Certificates will contain details of whom the certificate has been issued to. This 
includes the domain name or common name, serial number; the details of the 
issuer; the period of validity - issue date and expiry date; SHA Fingerprints; subject 
public key algorithm, subject's public key; certificate signature algorithm, certificate 


signature value. Other important details such as the type of certificate, SSL/TLS 
version, Perfect Forward Secrecy status, and cipher suite details are included. 
Organization validated, and extended validation certificates also contain verified 
identity information about the owner of the website, including organization name, 
address, city, state and country. 


ITIL: Information Technology Infrastructure Library? 


It is a set of detailed practices for IT service management (ITSM) that focuses on 
aligning IT services with the needs of business. 


ITIL describes processes, procedures, tasks, and checklists which are not 
organization-specific or technology-specific but can be applied by an organization 
for establishing integration with the organization's strategy, delivering value, and 
maintaining a minimum level of competency. It allows the organization to establish 
a baseline from which it can plan, implement, and measure. It is used to 
demonstrate compliance and to measure improvement. 


e ITIL Service Strategy: understands organizational objectives and customer 
needs. 

e ITIL Service Design: turns the service strategy into a plan for delivering the 
business objectives. 

e ITIL Service Transition: develops and improves capabilities for introducing 
new services into supported environments. 

e ITIL Service Operation: manages services in supported environments. 

e ITIL Continual Service Improvement: achieves services incremental and large- 
scale improvements. 


Incident 


An unplanned interruption to an IT Service or a reduction in the Quality of an IT 
Service. Failure of a Configuration Item that has not yet impacted one or more 
Services is also an Incident. For example: Failure of one disk from a mirror set. 


Major Incident 


An event which has significant impact or urgency for the business/organization and 
which demands a response beyond the routine incident management process. 


A major incident will be an incident that is either defined in the major incident 
procedure or which: 


e may either cause, or have the potential to cause, impact on business-critical 
services or systems (which can be named in the major incident procedure); 

e or be an incident that has significant impact on reputation, legal compliance, 
regulation or security of the business/organization. 


Problem 


A cause of one or more Incidents. The cause is not usually known at the time a 
Problem Record is created, and the Problem Management Process is responsible for 
further investigation. 


Change 


The addition, modification or removal of anything that could have an effect on IT 
Services. The Scope should include all IT Services, Configuration Items, Processes, 
Documentation etc. 


Release 


A collection of hardware/software documentation, Processes or other Components 
required to implement one or more approved Changes to IT Services. The contents 
of each Release are managed, tested, and deployed as a single entity. 


Service Request 


A request from a User for information, or advice, or for a Standard Change or for 
Access to an IT Service. For example, to reset a password, or to provide standard IT 
Services for a new User. Service Requests are usually handled by a Service Desk, 
and do not require an RFC to be submitted. 


